Maybe, but what I was worried about with this solution is that you still have /proc mounted and a process that escapes to the helper NS could then access restricted information from the init PIDNS by e.g. parsing /proc via readdir(). It's possible that I'm overthinking this though.
Maybe, but what I was worried about with this solution is that you still have /proc mounted and a process that escapes to the helper NS could then access restricted information from the init PIDNS by e.g. parsing /proc via readdir(). It's possible that I'm overthinking this though.